Vulnerability Name:

CVE-2022-2191 (CCN-230671)

Assigned:2022-07-07
Published:2022-07-07
Updated:2022-09-09
Summary:In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-404
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-2191

Source: XF
Type: UNKNOWN
eclipse-cve20222191-dos(230671)

Source: CCN
Type: Eclipse GIT Repository
SslConnection does not release pooled ByteBuffers in case of errors

Source: CONFIRM
Type: Exploit, Vendor Advisory
https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20220909-0003/

Source: CCN
Type: IBM Security Bulletin 6825139 (QRadar User Behavior Analytics)
Multiple vulnerabilities in Zookeeper affecting IBM QRadar User Behavior Analytics (CVE-2022-2191, CVE-2022-2047, CVE-2022-2048, CVE-2022-24823, CVE-2020-36518)

Source: CCN
Type: IBM Security Bulletin 6825513 (Rational Change)
Multiple Vulnerabilities in Rational Change Fix Pack 04 for 5.3.2

Source: CCN
Type: IBM Security Bulletin 6825515 (Rational Synergy)
Multiple Vulnerabilities in Rational Synergy 7.2.2.4

Source: CCN
Type: IBM Security Bulletin 6829321 (InfoSphere Information Server)
Multiple vulnerabilities in Eclipse Jetty affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6840987 (Rational Performance Tester)
Rational Performance Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate these vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6840989 (Rational Performance Tester)
Rational Service Tester contains vulnerabilities which could affect Eclipse Jetty. Rational Service Tester has taken steps to mitigate these vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6983274 (Cognos Command Center)
IBM Cognos Command Center is affected by multiple vulnerabilities

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-2191

Vulnerable Configuration:Configuration 1:
  • cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.0.9)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 10.0.0 and <= 10.0.9)

    • Configuration CCN 1:
  • cpe:/a:eclipse:jetty:10.0.0:-:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_performance_tester:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    eclipse jetty *
    eclipse jetty *
    eclipse jetty 10.0.0 -
    eclipse jetty 11.0.0 -
    ibm infosphere information server 11.7
    ibm rational performance tester 9.2
    ibm cognos command center 10.2.4.1